@adam-tyler said in Migrate CA:
automatically removed when the CA role is uninstalled
Adam,
I hope all is well. Great series of questions about ADCS and its operational intricacies. Let's jump in and take care of all those questions....
Q2: You are spot on with this, as this is the recommended and standard way this is done. There are other options, such as using Powershell to script this activity, (up to you), but it may be more trouble than it is worth.
I am including a sample script that would allow you to have a sense of what would have to be done, and to play with / start from if you want to explore your options:
NOTE: You will need to change the template name to whatever you are using in your environment.
NOTE: Needs powershell V3 or above
=========================================================================================
#Get local certificate store
$my=dir cert:\LocalMachine\My
#Get active certificate using "Domain Controller Authentication" template
$dccert=$my | where-object {($_.Archived -eq $false) -and (($_.extensions.item("1.3.6.1.4.1.311.21.7").format(0)) -match "Domain Controller Authentication") }
"INFO! Existing DC cert $($dccert.serialnumber) will be removed from local store"
#Delete existing cert
remove-item $dccert.pspath
If ($?)
{"SUCCESS! Removed old certificate. Triggering autoenrolment for new cert.."
#Trigger autoenrollment
certutil -pulse
#Get local certificate store
$my=dir cert:\LocalMachine\My
#Check for active certificate using Domain Controller Authentication template
$dccert=$my | where-object {($_.Archived -eq $false) -and (($_.extensions.item("1.3.6.1.4.1.311.21.7").format(0)) -match " Domain Controller Authentication") }
"INFO! DC certificate is now $($dccert.serialnumber)"
}
Else
{"ERROR! Unable to remove existing certificate"}
================================================================================
Q3: If the root CA is an offline root CA (standalone root CA), then you must publish the root certificate into AD:
certutil -dspublish RootCACertifice RootCA
This will then use the autoenrollment settings to distribute the certificate to the trusted root store of all domain joined clients.
If the root CA was joined to the domain, this will eventually happen automatically, but it can take up to 8 hours (default GPO application time). To force the issue, reboot a client computer and it will pick up the root CA certificate. Typically, I will plan for an overnight period to allow distribution to fully populate all machines.
Q4. Those entries are not automatically removed. The only thing that is automatically adjusted / removed / modified during the removal is the pKIEnrollmentService object, which is removed. This prevents clients from trying to enroll against the decommissioned CA. The other objects are retained because certificates that are issued by the CA are probably still outstanding.
For Public Key Infrastructure (PKI) client computers to successfully process these outstanding certificates, the computers must locate the Authority Information Access (AIA) and CRL distribution point paths in Active Directory. It is a good idea to revoke all outstanding certificates, extend the lifetime of the CRL, and publish the CRL in Active Directory. If the outstanding certificates are processed by the various PKI clients, validation will fail, and those certificates will not be used.
If it is not a priority to maintain the CRL distribution point and AIA in Active Directory, you can remove these objects. Do not remove these objects if you expect to process one or more of the formerly active digital certificates.
If you do want to get rid of them and clean up in general, the steps below will point you in the right direction:
Remove all Certification Services objects from Active Directory:
NOTE: You should not remove certificate templates from Active Directory until after you remove all CA objects in the Active Directory forest.
To remove all Certification Services objects from Active Directory, follow these steps:
-
Determine the CACommonName of the CA. To do this, follow these steps:
a. Click Start, click Run, type cmd in the Open box, and then click OK.
b. Type certutil, and then press ENTER.
c. Make a note of the Name value that belongs to your CA. (You will need the CACommonName for later steps in this procedure)
-
Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
-
On the View menu, click Show Services Node.
-
Expand Services, expand Public Key Services, and then click the AIA folder.
-
In the right pane, right-click the CertificationAuthority object for your CA, click
Delete, and then click Yes.
-
In the left pane of the Active Directory Sites and Services MMC snap-in, click the CDP folder.
-
In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete, and then click Yes two times.
-
In the left pane of the Active Directory Sites and Services MMC snap-in, click the Certification Authoritiesnode.
-
In the right pane, right-click the CertificationAuthority object for your CA, click
Delete, and then click Yes.
-
In the left pane of the Active Directory Sites and Services MMC snap-in, click the Enrollment Services node.
-
In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted, right-click the object, click
Delete, and then click Yes.
-
If you did not locate all the objects, some objects may be left in the Active Directory after you perform these steps. To clean up after a CA that may have left objects in Active Directory, follow these steps to determine whether any AD objects remain:
a. Type the following command at a command line, and then press ENTER:
ldifde -r "cn=CACommonName" -d "CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com" -f output.ldf
In this command, CACommonName represents the Name value that you determined in step 1. For example, if the Name value is "CA1 ITPRO," type the following:
ldifde -r "cn=CA1 ITPRO" -d "cn=public key services,cn=services,cn=configuration,dc=itpro,dc=tv” -f remainingCAobjects.ldf
b. Open the remainingCAobjects.ldf file in Notepad. Replace the term "changetype: add" with "changetype: delete." Then, verify whether the Active Directory objects that you will delete are legitimate.
c, At a command prompt, type the following command, and then press ENTER to delete the remaining CA objects from Active Directory:
ldifde -i -f remainingCAobjects.ldf
- Delete the certificate templates if you are sure that all of the certificate authorities have been deleted. Repeat step 12 to determine whether any AD objects remain.
Important You must not delete the certificate templates unless all the certificate authorities have been deleted. If the templates are accidentally deleted, follow these steps:
a. Make sure that you are logged on to a server that is running Certificate Services as Enterprise administrator.
b. At a command prompt, type the following command, and then press ENTER:
cd %windir%\system32
c. Type the following command, and then press ENTER:
regsvr32 /i:i /n /s certcli.dll
This action re-creates the certificate templates in Active Directory.
To delete the certificate templates, follow these steps.
a. In the left pane of the "Active Directory Sites and Services" MMC snap-in, click the Certificate Templates folder.
b. In the right pane, click a certificate template, and then press CTRL+A to select all templates. Right-click the selected templates, click Delete, and then click Yes.
Delete certificates published to the NtAuthCertificates object:
After you delete the CA objects, you have to delete the CA certificates that are published to the NtAuthCertificates object. Use either of the following commands to delete certificates from within the NTAuthCertificates store:
certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key
Services,...,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority"
certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key
Services,...,DC=ForestRoot,DC=com?cACertificate?base?objectclass=pKIEnrollmentService"
NOTE: You must have Enterprise Administrator permissions to perform this task.
The -viewdelstore action invokes the certificate selection UI on the set of certificates in the specified attibute. You can view the certificate details. You can cancel out of the selection dialog to make no changes. If you select a certificate, that certificate is deleted when the UI closes and the command is fully executed.
Use the following command to see the full LDAP path to the NtAuthCertificates object in your Active Directory:
certutil store -? | findstr "CN=NTAuth"
Delete the CA database:
When Certification Services is uninstalled, the CA database is left intact so that the CA can be re-created on another server.
To remove the CA database, delete the %systemroot%\System32\Certlog folder.
That should take care of cleanup !!
Now, about the last part of Q4, the two separate CA implementations in the same domain...
The logic of having two separate CA implementations is typically driven by a need to stratify and differentiate which CA is issuing certificates for compliance reason. (Not the only reason, but the one I come across most often as I deal with these issues for customers).
Assuming that is what is driving you to go this route, or is at least a possibility, the simplest answer is that it would be dependent on the certificate template's issuing CA. In other words, if we assume that certain templates are ONLY issued by a certain CA, then renewal is based on the issuing CA.
Typically certificates are renewed by the issuing CA as a matter of standard operation.
I hope that helps to get you moving in the right direction. If you have any additional questions, please let me know.
Good Luck !!,
Cheers,
Adam
